Meltdown - CPU Vulnerability

Armor-Specific Notes

Armor client utilizes Trend DeepSecurity for antivirus. Armor has deployed the necessary updates to DeepSecurity, and all Operating Systems can be patched.

Armor is powered by VMware ESXi, which is not vulnerable to the Meltdown vulnerability. Per VMware: “…Rogue Data Cache Load (CVE-2017-5754), was disclosed along the other two issues. It does not affect ESXi, Workstation, and Fusion because ESXi does not run untrusted user mode code…”

Updates

IMPORTANT: Those with encryption software installed on their system should check with the encryption vendor to ensure compatibility before installing any operating system patches, or significant data loss and/or downtime can occur.

IMPORTANT: Many vendors have released and recalled patches and updates due to major issues after updating. Check with your vendor on recommendations before patching, and as always make sure you test before implementing to production.

Both software and hardware need to be updated to address the vulnerability, including patching all affected operating systems, including host and any VMs.

Overview

The announcement of critical flaws in CPUs produced by Intel, ARM and AMD sent shock waves through the world as we are dependent on them in our day-to-day lives. Researchers have now confirmed three variants of CPU vulnerabilities named Meltdown (variant 3) and Spectre (variant 1&2). The vulnerabilities could potentially allow threat actors to access sensitive data in protected memory by bypassing critical security controls.

The vulnerabilities are present in Intel processors produced in the past decade and some since 1995, as well as some CPUs manufactured by AMD and ARM. This in turn affects any systems running on those processors.

Microsoft released patches to plug Meltdown and certain use-cases of Spectre for supported Operating Systems.

Below information is specific to Meltdown, see the Spectre FAQ for information related to Spectre

Synopsis of the Meltdown problem

Many modern processor architectures perform speculative execution. Speculative execution is an optimization technique wherein an operation is performed before it is determined whether or not the operation is necessary in order to reduce program execution times.

There are many kinds of speculative execution, but this issue occurs with operations that attempt to load kernel assigned memory space. While the read is successfully blocked (preventing the program from just reading and directly displaying the kernel contents), processor caches and state are still changed. By utilizing a side-channel attack, kernel memory contents can be derived.

Armor has not observed any active exploitation. Our Threat Resistance Unit (TRU) is actively watching for any indications of exploitation, and we will post an update if any are observed.

Any machine running an Intel chip made in the last 20 years other than Intel Itanium and Intel Atom before 2013.

Implementing the fix to separate the memory spaces will likely have a performance impact on the systems, though the performance hit will be determined by the type of work occurring on each system and hardware in use.

The impact is expected to be reduced on newer Intel processors with process-context identifiers enabled.

Many antivirus programs are preventing the installation of the patch. If you experience problems installing updates to your operating system, check with your antivirus vendor for instructions.

Per Microsoft, “Customers will not receive the January 2018 security updates (or any subsequent security updates) and will not be protected from security vulnerabilities” unless the installed antivirus is set as compatible on the system.

Please read the associated advisories from software and hardware vendors to determine potential performance impact following the updates.

Any system that allows execution of custom code affected by this vulnerability. Even if not directly affected, virtual machines or containers operating as network devices (such as Cisco) can be targeted if the hosting environment is vulnerable. A list of available updates can be found at the bottom of meltdownattack.com.

Both software and hardware need to be updated to address the vulnerability, including patching affected operating systems, both host and VM.

Cloud providers using affected hardware without mitigating patches applied are vulnerable. Even cloud providers without real hardware virtualization, relying on containers sharing one kernel, such as Docker, are vulnerable if not patched.

Microsoft has patched the Azure infrastructure at the hypervisor level and is not requiring customers to patch their virtual machines for Meltdown protection, however patching is still strongly advised. (note: this patch guidance from Microsoft applies only to Meltdown. See the Spectre FAQ for Spectre response).

Amazon AWS has stated that it’s already protected “nearly all AWS instances” although customers will still have to patch the guest operating systems to guard against compromise within a single virtual machine.

Per Google: “Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers.” Google is still requesting customers patch the guest operating systems for full protection.

Be wary of any vendors claiming to address security risks for this newly announced vulnerability. Until Intel and the operating system developers release further details, we cannot know for sure what mitigating controls could be used to reduce your risk.

Jan 52018

Meltdown: How to Protect Your Company

Every once in a while, there are days those of us in IT know will require extra cups of coffee to get through. The past few days have been among them, as revelations about critical vulnerabilities in microprocessors from Intel, ARM and AMD have caused quite a stir. Dubbed Spectre and Meltdown, these vulnerabilities could […]

Additional Links

Patching Status Matrix See the latest available patches for your operation system(s). This matrix will continue to be updated as patches become available.

Armor exists to protect. Each employee feels our passion, knows the vision and lives the company values. Diversity is key. Every role is important to Armor’s success. We volunteer our best every day and go to any length to ensure our customers are protected.